ISO/IEC 38500 – IT governance

ISO/IEC 38500 is the international standard that provides principles and guidance for effective IT governance. It helps governing bodies ensure that the use of information technology supports organisational objectives, delivers value, manages risk, and uses resources responsibly.

ISO/IEC 38500 is not a certifiable standard. It is designed to guide boards, executives, and senior leaders in setting direction and oversight for IT.

Get a quote for ISO certification

What is ISO/IEC 38500?

ISO/IEC 38500 is jointly published by the International Organization for Standardization and the International Electrotechnical Commission.

The standard focuses on governance rather than management. It clarifies how leaders should evaluate, direct, and monitor the use of IT, while leaving day-to-day delivery to management.

What does ISO/IEC 38500 cover?

ISO/IEC 38500 provides a simple, high-level model for governing IT, covering:

  • Clear accountability for IT decisions
  • Alignment between IT and organisational strategy
  • Value creation from IT investments
  • Risk management and compliance
  • Performance monitoring and transparency
  • Responsible use of IT resources

It applies to all forms of IT, including digital platforms, cloud services, data, software, and emerging technologies.

The ISO/IEC 38500 governance model

The standard defines three core governance activities:

Evaluate

Assess current and proposed IT use, strategies, and investments.

Direct

Set policies, priorities, and expectations for how IT should be used.

Monitor

Track performance, conformance, and outcomes against objectives.

This model helps leaders maintain oversight without becoming involved in operational detail.

The six principles of ISO/IEC 38500

ISO/IEC 38500 is built around six governance principles that should guide IT decision-making:

Responsibility

Clear accountability for IT decisions and outcomes.

Strategy

IT supports and enables organisational strategy.

Acquisition

IT investments are justified, transparent, and deliver value.

Performance

IT performs well and meets business requirements.

Conformance

IT complies with legal, regulatory, and internal obligations.

Human behaviour

IT policies and practices respect people and organisational culture.

Together, these principles ensure balanced and responsible use of IT.

Who is ISO/IEC 38500 for?

ISO/IEC 38500 is particularly relevant for:

  • Boards and governing bodies
  • Chief executives and senior leadership teams
  • Non-executive directors
  • Public sector and regulated organisations
  • Organisations undergoing digital transformation

It is useful wherever leaders need confidence that IT decisions are well governed.

ISO/IEC 38500 vs IT management standards

ISO/IEC 38500IT management standards
Governance and oversightOperational delivery
Board and executive focusManagement and teams
Principles and guidanceDetailed requirements
Not certifiableOften certifiable

ISO/IEC 38500 complements standards such as ISO/IEC 20000-1 and ISO/IEC 27001 by setting expectations at leadership level.

How organisations use ISO/IEC 38500 in practice

Organisations commonly use ISO/IEC 38500 to:

  • Clarify board-level accountability for IT
  • Improve decision-making on digital investment
  • Align IT strategy with business objectives
  • Strengthen oversight of risk, security, and compliance
  • Support assurance and reporting to stakeholders

It is often referenced within governance frameworks, policies, and board charters.

Is ISO/IEC 38500 certification possible?

No. ISO/IEC 38500 cannot be certified.

There are no accredited audits or certificates for this standard. Organisations may state that their IT governance practices are aligned with ISO/IEC 38500 guidance, but this is not the same as certification.

Benefits of using ISO/IEC 38500

Organisations that apply ISO/IEC 38500 effectively often achieve:

  • Clearer accountability for IT decisions
  • Better alignment between IT and strategy
  • Improved value from IT investments
  • Stronger oversight of risk and compliance
  • Increased confidence at board level

Its value lies in clarity, direction, and assurance, not formal recognition.

Common misunderstandings about ISO/IEC 38500

  • “It is an IT management standard” – it focuses on governance
  • “It replaces frameworks like ITIL” – it complements them
  • “It is only for large organisations” – it is scalable
  • “It is too high-level to be useful” – it guides critical decisions

Understanding its role helps organisations apply it effectively.

How ISO/IEC 38500 fits with other ISO standards

ISO/IEC 38500 commonly sits above:

Together, these standards link governance, control, and delivery across IT and the wider organisation.

Next steps

If you want to strengthen IT governance:

  • Review board and executive accountability for IT
  • Assess current decision-making against ISO/IEC 38500 principles
  • Clarify policies for strategy, investment, risk, and performance
  • Align IT management standards with governance expectations

ISOcertified.net provides practical guidance on governance-focused ISO standards, including how ISO/IEC 38500 supports effective, responsible oversight of IT in modern organisations.

Get A Quote ⓘ